Is this site being detected? Malware entry: MW:ANOMALY:SP8

See: Up(nil): unknown_html RIPE VG abuse at compubyte.vg 193.109.247.224 to 193.109.247.224 narod.ru htxp://knigaimen.narod.ru/
see: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fknigaimen.narod.ru%2F - site infected with malware.
Nothing here: http://urlquery.net/report.php?id=5399436
Quttera flags the following potentially suspicious code:
1001goroskop dot ru/_informer/goroskop_na_segodnja.js?
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘%D0%A1%D0%B5%D0%B3%D0%BE%D0%B4%D0%BD%D1%8F%20%D0%B4%D0%B0%D0%B6%D0%B5%20%D1%81%D0%B0%D0%BC%D1%8B%D0%’]] of length 3803 which may point to obfuscation or shellcode.
Threat dump: [[="%D0%A1%D0%B5%D0%B3%D0%BE%D0%B4%D0%BD%D1%8F%20%D0%B4%D0%B0%D0%B6%D0%B5%20%D1%81%D0%B0%D0%BC%D1%8B%D0%B5%20%D0%BF%D1%80%D0%BE%D1%81%D1%82%D1%8B%D0%B5%20%D0%B2%D0%B5%D1%89%D0%B8%20%D0%BC%D0%BE%D0%B3%D1%83%D1%82%20%D0%B4%D0%B0%D0%B2%D0%B0%D1%82%D1%8C%D1%81%D1%8F%20%D0%B2%D0%B0%D0%BC%20%D1%81%20%D1%82%D1%80%D1%83%D0%B4%D0%BE%D0%BC.%20%D0%A0%D0%B0%D0%B1%D0%BE%D1%82%D0%B0%2C%20%D0%BD%D0%B5%D0%BE%D0%B1%D1%85%D0%BE%D0%B4%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D1%8C%20%D0%BF%D1%80%D0%B8%D0%BD%D1%8F%D1%82%D0%B8%D]] likely a vcf document download
File size[byte]: 7815
File type: ASCII
MD5: 034C0E5B323582D7D3058B16E6BA1B27
Scan duration[sec]: 0.008000
Read what redleg comments on that malware in this thread here:
https://www.badwarebusters.org/main/itemview/28889
See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fkniga-imen.ru%2F&ref_sel=Google&ua_sel=ff
//** NOTE: There is an attempt to clean up the line above (154:), make it easier to read. It does NOT mean the line is (or is not) malicious!

polonus

virustotal
https://www.virustotal.com/en/file/11d09013abe8d27678dad958572b71c1fb16540094f2faeb8ed32e93d896cff4/analysis/1379278805/

Hi Pondus,

Backlist status of !–LiveInternet counter- code in line 154 on that page is being confirmed here: http://labs.sucuri.net/?details=counter.yadro.ru
and I have no reason to doubt sucuri analyzers, as they flag this as distributing malware or acting as a redirector!
Moreover consider this webrep report: http://www.mywot.com/en/scorecard/1001goroskop.ru?utm_source=addon&utm_content=popup-donuts
for what quttera flags as potentially suspicious! - misleading and unethical claims.

polonus

Pondus reported that Norman added detection

Script has malicious counter plugin that act as proxy for most of the malware families.
Detection added as Redirector.KV

Thanks Pondus for following up on this.
Then on line 147 there is also a link to (“htxps:” == p ? “htxps:” : “htxp:”) ​ “//openstat.net/cnt.js”)
re: http://urlquery.net/report.php?id=594315
rating.openstat.ru/s/_common/b/public/GxojcT-WGAhDzppm8W6H5Q.js benign
[nothing detected] (script) rating.openstat.ru/s/_common/b/public/GxojcT-WGAhDzppm8W6H5Q.js
status: (referer=rating.openstat.ru/)saved 10166 bytes b0811c4cac82bb4fd5b5957e7402b16bd08bf6e6
info: [decodingLevel=0] found JavaScript
suspicious: tracking extensions and adblocking extensions block this…
Quttera flags as potentially suspicious (often meaning exploitable/open to abuse)
Potentially Suspicious files: 1
/s/_common/js/base_lisnUg.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [[‘=%26onf=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%261=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26fx=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26’]] of length 259 which may point to obfuscation or shellcode.
Threat dump:
File size[byte]: 272598
File type: ASCII
MD5: D70FD02AE30ABC4241BB51240AD2FA4B
Scan duration[sec]: 4.685000 (Sucuri give site as verified clean)

polonus